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Abstract: Synchronous languages rely on formal methods to facilitate the developement of appli- 
cations in an efficient and reusable way. In fact, formal methods have been advocated as a means of 
increasing the reliability of systems, especially those which are safety or business critical. It is even 
more difficult to develop automatic specification and verification tools due to limitations such as state 
explosion, undecidability, etc... In this work, we design a new specification model based on a reac- 
tive synchronous approach. We benefit from a formal framework well suited to perform compilation 
and formal validation of systems. In practice, we design and implement a special purpose language 
(le) with two semantic: its behavioral semantic helps us to define a program by the set of its behav- 
iors and avoid ambiguity in programs interpretation; its equational semantic allows the compilation 
of programs into software and hardware targets (C code, Vhdl code, Fpga synthesis. Model checker 
input format). Our approach is relevant with respect to the two main requirements of critical realistic 
applications: modular compilation allows us to deal with large systems, while model-based approach 
provides us with formal validation. There is still a lack of efficient and modular compilation means 
for synchronous languages. Despite of relevant attempts to optimize generated code, no approach 
considers modular compilation. This report tackles this problem by introducing a compilation tech- 
nique which relies on the equational semantic to ensure modularity completed by a new algorithm to 
check causality cycles in the whole program without checking again the causalty of sub programs. 

Key-words: synchronous language, modular compilation, behavioral semantic, equational con- 
structive semantic, modularity, separate compilation. 
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Compilation modulaire d'un langage synchrone 



Resume : Dans ce rapport, nous etudions le developpement de systemes critiques. Les methodes 

formelles se sont averees un moyen efficace pour augmenter la fiabilite de tels systemes, en parti- 
culier ceux qui requierent une certaine securite de fonctionnement. Neanmoins, le developpement 
d'outils automatiques de specification et de verification est limite entre autre par la taille des mo- 
deles formels des systemes ou par des problemes d'indecidabilite. Dans ce travail, nous definissons 
un langage reactif synchrone (le) dedie a la specification de systemes critiques. Ce faisant, nous 
beneficions d'un cadre formel sur lequel nous nous appuyons pour compiler separement et vaUder 
les applications. Plus precisement, nous definissons deux semantiques pour notre langage: une se- 
mantique comportementale qui associe a un programme 1' ensemble de ses comportements et evite 
ainsi toute ambiguite dans 1' interpretation des programmes. Nous definissons aussi une semantique 
equationnelle dirigeant la compilation de programmes vers differentes cibles (code c, code vhdl, syn- 
thetiseurs fpga, observateurs), permettant ainsi de traiter des applications logicielles et materielles et 
aussi de les valider. Notre approche est pertinente vis a vis des deux principales exigences de reelles 
applications critiques: la compilation modulaire permet de traiter des applications consequentes et 
r approche formelle permet la validation. On pent constater que le domaine des langages synchrones 
manque encore de methodes pour compiler les programmes de fagon efficace et modulaire. Bien sur, 
certaines approches optimisent les codes produits d'un facteur important, mais aucune d' entre elles 
n'envisagent une compilation modulaire. 

Mots-cles : langage synchrone, compilation modulaire , semantique comportementale semantique 
constructive equationnelle, modularite, compilation separee. 
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1 Introduction 

We address the design of safety-critical control-dominated systems. By design we mean all the 
work that must be done from the initial specification of a system to the embedding of the validated 
software into its target site. The way control-dominated systems work is reactive in the sense of D. 
Harel and A. Pnueli definitioni 1 1 1: they react to external stimuli at a speed defined and controlled 
by the system's environment. The evolution of a reactive system is a sequence of reactions raised 
by the environment. A control-dominated application can then be naturally decomposed into a set 
of communicating reactive sub-systems each dealing with some specific part of the global behavior, 
combined together to achieve the global goal. 

It is now stated that general purpose programming languages are not suited to design reactive sys- 
tems: they are clearly inefficient to deal with the inherent complexity of such systems. From now 
on, the right manner to proceed is to design languages dedicated to reactive systems. To this aim, 
synchronous languages such as Esterel|3| and SyncCharts dedicated to specify event-driven 
applications; Lustre and Signal|9 |, data flow languages well suited to describe signal processing ap- 
plications like, have been designed. They are model-based languages to allow formal verification of 
the system behavior and they agree on three main features: 

1. Concurrency: they support functional concurrency and they rely on notations that express 
concurrency in a user-friendly manner LE adopts an imperative Esterel-like style to express 
parallelism. However, the semantic of concurrency is the same for all synchronous languages 
and simultaneity of events is primitive. 

2. Simplicity: the language formal models are simple (usually mealy machines or netlists) and 
thus formal reasoning is made tractable. In particular, the semantic for parallel composition is 
clean. 

3. Synchrony: they support a very simple execution model. First, memory is initialized and then, 
for each input event set, outputs are computed and then memory is updated. Moreover, all 
mentioned actions are assumed to take finite memory and time. 

Synchronous languages rely on the synchronous hypothesis which assumes a discrete logic time 
scale, made of instants corresponding to reactions of the system. All the events concerned by a 
reaction are simultaneous: input events as well as triggered output events. As a consequence, a 
reaction is instantaneous (we consider that a reaction takes no time), there are no concurrent partial 
reactions, and determinism is thus ensured. 

There are numerous advantages to the synchronous approach. The main one is that temporal seman- 
tic is simplified, thanks to the afore mentioned logical time. This leads to clear temporal constructs 
and easier time reasoning. Another key advantage is the reduction of state-space explosion, thanks 
again to discrete logical time: systems evolve in a sequence of discrete steps, and nothing occurs be- 
tween two successive steps. A first consequence is that program debugging, testing, and validating 
is easier In particular, formal verification of synchronous programs is possible with techniques like 
model checking. Another consequence is that synchronous language compilers are able to generate 
automatically embeddable code, with performances that can be measured precisely. 
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Although synchronous languages have begun to face the state explosion problem, there is stiU a need 
for further research on their efficient and modular compilation. The initial compilers translated the 
program into an extended finite state machine. The drawback of this approach is the potential state 
explosion problem. Polynomial compilation was first achieved by a translation to equation systems 
that symbolically encode the automata. This approach is successfully used for hardware synthesis 
and is the core of commercial tools I.15J but the generated software may be very slow. Then several 
approaches translate the program into event graphs |16 | or concurrent data flow graphs ||7][l3l to 
generate efficient C code. All these methods have been used to optimize the compilation times as 
well as the size and the execution of the generated code. 

However none of these approaches consider a modular compilation. Some attempts allow a dis- 
tributed compilation of programs 1(161 1711 but no compilation mechanism relies on a modular seman- 
tic of programs. Of course there is a fundamental contradiction in relying on a formal semantic 
to compile reactive systems because a perfect semantic would combine three important properties: 
responsiveness, modularity and causality. Responsiveness means that we can deal with a logical 
time and we can consider that output events occur in the same reaction as the input events causing 
them. It is one of the foundations of the synchronous hypothesis. Causality means that for each 
event generated in a reaction, there is a causal chain of events leading to this generation; no causality 
loop may occur. A semantic is modular when "environment to component" and "component to com- 
ponent" communication are treated symmetrically. In particular, the semantic of the composition of 
two reactive systems can be deduced from the respective semantic of each sub-part. Another aspect 
of modularity is the coherent view each subsystem has of what is going on. When an event is present, 
it is broadcasted all around the system and is immediately available for every part which listens to it. 
Unfortunately, there exists a theorem ("the RMC barrier theorem") [12] that states that these three 
properties cannot hold together in a semantic. Synchronous semantic are responsive and modular. 
But causality remains a problem in these semantic and modular compilation must be completed by 
a global causality checking. 

In this paper we introduce a reactive synchronous language, we define its behavioral semantic that 
gives a meaning to programs and an equational semantic allowing first, a modular compilation and, 
second, a separate verification of properties. Similarly to other synchronous semantic, we must 
check that programs have no potential causality loop. As already mentioned, causality can only be 
checked globally since a bad causality may be created when performing the parallel composition of 
two causal sub programs. We compile LE programs into equation systems and the program is causal 
if its compilation is cycle free. The major contribution of our approach relies on the introduction of 
a new sorting algorithm that allows us to start from already compiled and checked subprograms to 
compile and check the overall program without sorting again all the equations. 

2 LE Language 

LE language belongs to the family of reactive synchronous languages. It is a discrete control domi- 
nated language. We first describe its syntax (the overall grammar is detailed in appendix [All. 
The LE language unit are named modules. The language's operators and constructions are chosen 
to fit the description of reactive applications as a set of concurrent communicating sub-systems. 
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Communication takes place between modules or between a module and its environment. Sub-system 
communicates via events. 

The module interface declares the set of input events it reacts to and the set of output events it emits. 
For instance, the following piece of code shows the declarative part of a Control module used in the 
example in section |6] 

module Control: 

Input : forward, backward, upward, downward, StartCycle; 
Output : MoveFor, MoveBack, MoveDown, SuckUp, EndCycle ; 

2.1 LE Statements 

The module body is expressed using a set of control operators. They are the cornerstone of the 
language because they operate over event's status. Some operators terminate instantaneously, some 
other takes at least one instant. We mainly distinguish two kinds of operators: usual programming 
language operators and operators devoted to deal with logical time. 

2.1.1 Non Temporal Statements 

LE language offers two basic instructions: 

• The nothing instruction does "nothing" and terminates instantaneously. 

• The event emission instruction {emit speed) sets to present the status of the emitted signal. 
Moreover, some operators help us to built composite instructions: 

• The present-then-else instruction {present S {PI} else { P2j) is a usual conditional statement 
except that boolean combinations of signals status are used as conditions. 

• In the sequence instruction {Pi ^ P2) the first sub-instruction Pi is executed. Then, if 
Pi terminates instantaneously, the sequence executes immediately its second instruction P2 
and stops whenever P2 stops. If Pi stops, the sequence stops. The sequence terminates at 
the same instant as its second sub-instruction P2 terminates. If the two sub-instructions are 
instantaneous, the sequence terminates instantaneously. 

• The parallel instruction{Pi\\P2) begins the execution of its two sub-instructions at the same 
instant. It terminates when both sub- instructions terminate. When the two sub-instructions are 
instantaneous, the parallel is instantaneous. Notice that the parallel instruction agrees with the 
synchronous hypothesis and allows the simultaneity of trigger signals causing Pi or P2. 

• A strong or weak preemption instruction over a signal S can surround an instruction P as in: 
abort P when S. While the signal status evaluates to "absent", instruction P continues its 
execution. The instant the event evaluates to "present", the instruction is forced to terminate. 
When the instruction is preempted, the weak preemption let the instruction ends its current 
execution while the strong one does not. If the instruction terminates normally without been 
preempted, the preemption instruction also terminates and the program execution continues. 
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• A Loop instruction {loop {P}) surrounds an instruction P. Instruction P is automatically 
restarted the same instant it terminates. The body of a loop cannot be instantaneous since it 
will start again the execution of its body within the same instant. 

• Local signals instruction (local S {P}) is used to encapsulate communication channels be- 
tween two sub systems. The scope of S is restricted to P. As a consequence, each local signal 
tested within the body of the local instruction must be emitted from the body. 

• A module call instruction(Run) is used to run an external module inside another module. Re- 
cursive calls of module are not allowed. Running a module does not terminate instantaneously. 
In the declarative part of the module, you can specify the paths where the already compiled 
code of the called modules are: 

Run: " . /TEST/control/" : Temporisation; 
Run: "./TEST/control/" : NormalCycle; 

2.1.2 Temporal Statements 

There are two temporal operators in LE . 

• The pause instruction stops for exactly one reaction. 

• The waiting instruction (wait S) waits the presence of a signal. The first time the execution of 
the program reaches a wait instruction, the execution stops (whatever the signal status is). 
At the beginning of the following instant, if the signal status is tested "present" the instruction 
terminates and the program continues its execution, otherwise it stays stopped. 

2.1.3 Automata Specification 

Because it remains difficult to design an automaton-like behavior using the previously mentioned 
operators, our language offers an automaton description as a native construction. An automata is a 
set of states and labeled transitions between states. Some transitions are initial and start the automata 
run while terminal states indicate that the automaton computation is over The label of transitions 
have two fields: a trigger which is a boolean combination of signal status and an output which is the 
list of signals emitted when the transition is taken (i.e when the trigger part is true). LE automata are 
Mealy machines and they have a set of input signals to define transition triggers and a set of output 
signals that can be emitted when a transition is raised. In LE , the body of a module is either an 
instruction or an automaton. It is not allowed to build new instructions by combining instructions 
and automata. For instance, the only way to put in parallel an automaton and the emission of a signal 
is to call the module the body of which is the automata through a run operation. Practically, we offer 
a syntactic means to describe an automaton (see appendix |A] for a detailed syntax). Moreover, our 
graphical tool (GALAXY) helps users edit automata and generate the LE code. 
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3 LE Behavioral Semantic 

LE behavioral semantic is useful to give a meaning to each program and thus to define its behavior 
without ambiguity. To define the behavioral semantic of LE, we first introduce a logical context to 
represent events, then we define the LE process calculus in order to describe the behavioral semantic 
rules. 

3.1 Mathematical Context 

Similarly to others synchronous reactive languages, LE handles broadcasted signals as communi- 
cating means. A program reacts to input events by producing output events. An event is a signal 
carrying some information related to its status. The set of signal status ^ = {±, 0, 1, T}) [J is 
intented to record the status of a signal at a given instant. Let S* be a signal, denotes its instant 
current status. More precisely, means that S is present, 5° means that S is absent, means that 
5* is neither present nor absent and finally corresponds to an event whose status cannot be in- 
duced because it has two incompatible status in two different sub parts of the program. For instance, 
if S is both absent and present, then it turns out to have T status and thus an error occurs. Indeed, 
the set ^ is a complete lattice with the < order: 

T 

/ \ 
t 1 
\ / 
_L 



Composition Laws for ^ 

We define 3 internal composition laws in ^: ffl , □ and ^ (to extend the usual operations defined for 
classical boolean set B), as follows: 

The ffl law is a binary operation whose result is the upper bound of its operands: 



ffl 


1 





T 


± 


1 


1 


T 


T 


1 





T 





T 





T 


T 


T 


T 


T 


± 


1 





T 


± 



Particularly: 

• _L ffl± = _L; 

• IfflO = Offl 1 = T; 

' we also denote true and false values of ^ boolean algebra by 1 and by misuse of language. Nevertheless, when some 
ambiguity could occur, we will denote them 1^, Oj. 
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• T is an absorbing element; 
The □ law is a binary operation whose result is the lower bound of its operands: 



□ 


1 





T 




1 


1 


± 


1 







L 










T 


1 





T 




± 


± 


± 


± 





Particularly: 

• T □ T = T; 

• 1 □ = □ 1 = ±; 

• _L is an absorbing element; 
Finally, the -> law is an inverse law in ^: 



X 


-1 X 


1 








1 


T 


_L 


_L 


T 



The set ^ with these 3 operations verifies the axioms of Boolean Algebra: commutative and associa- 
tive axioms for E and □ , distributive axioms both for □ over ffl and for ffl over □ , neutral elements 
for Hand □ and complementarity. 



Commutativity: 


X Sy = y S X 


X m y = y U] X (1) 


Associativity: 


(x my) mx^x ffl (y ffl z) 


{x a y) B X ^ X B t{y B z) (2) 


Distributivity: 


X B {ySz) = {x a y) m{x a z) 


xB{y B z) = (xBy) B (xBz) (3) 


Neutral elements: 




a; □ T = a; (4) 


Complementarity : 




a; □ X = _L (5) 



Axioms (1) and (4) are obvious looking at the previous tables that define the ffl and Hlaws. Axioms 
(2) and (4) are also obviously true but their proofs necessitate to compute the appropriate tables. 
Finally, axiom (5) results from the following table: 



X 


X B^ X 


X B ^ X 


1 


1 fflO = T 


1 □ = _L 





ffl 1 = T 


□ 1 = _L 


T 


T ffl± = T 


T □ ± = _L 


_L 


_L fflT = T 


_L □ T = _L 
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As a consequence, ^ is a Boolean algebra and the following theorems are valid: 



Identity law: 


a; ffl X = X 


X [H X = X 


Redundancy law: 


X B {x m y) — X 


X □ {xBy) ~ X 


Morgan law: 


{x 'Siy) — -1 X □ -ly 


^ [x □ y) = -1 .T ffl ^ y 


Neutral element: 


a; ffl T = T 


x □ ± = _L 



In such a setting, xor, nor, nand, 4^, are defined: 

X xor y = X Ei -> yWy U] -I X 

X nor y = -> x El -> y 

X nand y = -> xW -> y 

x <^ y = (-1 X □ -1 y) ffl (a; □ y) 

a; y = -la; ffl y 

Hence, we can apply these classical results concerning Boolean algebras to solve equation systems 
whose variables belong to ^. For instance, the equational semantic detailed in section |4] relies on 
boolean algebra properties to compute signal status as solution of status equations. 
Moreover, since ^ is a lattice, the ffl and □ operations are monotonic: let x, y and z be elements of 
^Ax<y)^{xSz<ySz) and (x < y) (a; □ z < y □ z). 



Condition Law 

We introduce a condition law (-4) in f to drive a signal status with a boolean condition: 

(x, c) i — > X < c 
This law is defined by the following table: 



X 


c 


X c 


1 





± 










T 







_L 





± 


1 


1 


1 





1 





T 


1 


T 


± 


1 


± 



This condition law allows us to change the status of an event according to a boolean condition. It 
will be useful to define both le behavioral and equational semantic since the status of signals depend 
of the termination of the instructions that compose a module. Intuitively, a signal keeps its status if 
the condition is true, otherwise its status is set to ±. 
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Relation between and IB^ 

^ is bijective to B x B. We define the following encoding: 



signal status 


encoding 


1 


11 





10 


T 


01 


± 


00 



Hence, a signal status is encoded by 2 boolean variables. The first boolean variable of the status of a 
signal iS) is called its definition (Sdef), while the second one is called its value (Syai)- According to 
the encoding law, when Sdef = the signal S has either T or ± value for status and it is not defined 
as present or absent. On the opposite, when Sdef = 1, the signal is either present or absent. It is 
why we choose to denote the first boolean projection of a signal status by Sdef- 
B is the classical boolean set with 3 operators and (denoted .), or (denoted +) and not (denoted x, for 
boolean x). According to the previous encoding of ^ into B x B and after algebraic simplification, 
we have the following equalities related to ffl , □ and -i operators. Let X and F be 2 elements of 



(X mY)def -- 

(X ffl YUi -- 


Xdef -Ydef -Yval - 
- Xyal ~^ Yyat 


^Ydef 


Xdef 


Xval - 


\- {Xdef 


Ydef) -{Xval® Yval) 


(X □ Y)def -- 
(X □ Y),al -- 


= Xdef -Ydef -Yval - 
~ Xval-Yyal 


^Ydef 


Xdef 


Xval ' 


h- {Xdef 


Ydef )-iXyal(S Yval) 


(^X)def -- 
(-1 = 


= Xdef 
= Xyal 












(X M C)def 

(X < C)yal 


= Xdef-C 
= Xyal-C 













where © is the exclusive or operator of classical boolean set. The proof of the last equality is detailed 
in appendixlD] 

On the opposite side, we can expand each boolean element into a status member, correspond to 
0, and 1 to 1. More precisely let x be an element of B and (_{x) its corresponding status, then 

£,{x)def = 1 and ^{x)val = X. 

Notion of Environment 

An environment is a finite set of events. Environments are useful to record the current status of 
signals in a reaction. Thus a signal has a unique status in an environment: if S^' and belongs to 
the same environment, then x — y- 

We extend the operation defined in ^ to environments. Let E and E' be 2 environments: 
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EmE' = {S''\3S'= eE,Sy eE',z = xmy} 

E B E' = {S''\3S'= e E,sy e E',z = x a y} 

-^E = {S^''\3S=' G E} 

E < c = {S < c\S eE} 

We define a relation (^) on environments as follows: 

E^E'iS VS"" e E, e E'lS"" < 

Thus E < E' means that E is included in E' and that each element of E is less than an element of E' 
according to the lattice order of ^. As a consequence, the -< relation is a total order on environments 
and ffl and □ operations are monotonic according to <. 
Finally, we will denote E'^ , the environment where all events have T status. 

3.2 LE Behavioral Semantic 

In order to describe the behavioral semantic of LE , we first introduce a process algebra associated 
with the language. Then we can define the semantic with a set of rewriting rules that determines a 
program execution. The semantic formaUze a reaction of a program P according to an event input 
E' , 

set. P I — > P has the usual meaning: E and E are respectively input and output envirormients; 
E 

program P reacts to E, reaches a new state represented by P' and the output environment is E' . 

To compute such a reaction we rely on the behavioral semantic of LE . This semantic supports a 
rule-based specification to describe the behavior of each operator of le process algebra associated 

with LE language. A rule has the form: p — '■ > p' where p and p' are elements of le process 

E 

algebra. -B is an environment that specifies the status of the signals declared in the scope of p, E' 
is the output environment and TERM is a boolean flag true when p terminates. This notion of 
termination differs from the one used in Esterel language successive behavioral semantic. It means 
from the current reaction, p is able to terminate and this information will be sustained until the real 
termination occurs. 

Let P be a LE program and p its corresponding process algebra term. Given an input event set E, a 
reaction is computed as follows: 

E' , E' TERM , 

pi > p' iff p ^ ' ''"■'^ I p' 

E ^ E ^ 

LE Process Calculus (PLE) 

The PLE process algebra associated to le language is defined as follows: 

• nothing; 

• halt; 

• !s (emit s); 
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• wait s; 

• iwait s (wait immediate s); 

• s? p: q (present s [p] else {q]); 

• p\\q; 

' P'> T, 

• p ts (abort {p} when s); 

• p* (loop {p}); 

• p\s (local s {p})\ 

• A{M.^ T, Cond, Mf, O, A). Automata ^ is a structure made of 6 components: 

1 . a finite set of macro states (M). Each macro state M may be is itself composed of a sub 
term p (denoted M[p]); 

2. a finite set of conditions (Cond); 

3. a finite set of transitions (T). A transition is a 3-uple < M, c, M' > where c e Conrf is a 
boolean condition raising the transition from macro state M to macro state M'. We will 
denote M M' for short in the rest of the report and cm^m' will denote the condition 
associatesd with the transition. . T is also composed of initial transitions of the form: 

M' . They are useful to start the automata run. When condition c is true, the macro 
state M' is reached; 

4. ay?na/ macro state M/; 

5. a finite set of output signals {O) paired with an output function A that links macro states 

and output signals: A : T — > 'P{0), defined as follows: A(M M') = o C O is the 
set of output signals emitted when the trigger condition cm^m' is true. 

Each instruction of LE has a natural translation as an operator of the process algebra. As a conse- 
quence, we associate a term of the process algebra with the body of each program while the interface 
part allows to build the global environment useful to define the program reaction as a rewriting of 
the behavioral semantic. Notice that the operator iwait s does not correspond to any instruction of 
the language, it is introduced to express the semantic of the wait statement. It is a means to express 
that the behavior of a term takes at least one instant. It is the case of wait s that skip an instant 
before reacting to the presence of s. 

More precisely, we introduce a mapping: F : LE — » ple , which associates a ple term with each le 
program. F is defined according to the syntax of the LE language. 
Let P be a LE program, F(P) is structurally defined on the body of P. 

• F(nothing) = nothing; 

• r(halt) = halt; 
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r(emit s) =!s; 
r(wait s) = wait s; 

r(presentsPi elsePa) = s?r(Pi) : T{P2); 

r(Pi||P2)-r(Pi)||r(P2); 
r(Pi » P2) = r(Pi) » r(P2); 

r(abort Pi when s) = r(Pi) ts; 

r(ioop {Pi}) ==r(Pi)*; 

r(local s{Pi}) = r(Pi)\s; 

r(run Pi) = wait tick ;» r(Pi) where tick is a "clock" signal present in each reaction; 

T{A{M, T, Cond, Mf, O, A) = A{M, T, Cond, Mf, O, A). 

Behavioral Semantic Rules 

The basic operators of LE process algebra have the following rewriting rules. Both nothing and 
halt have no influence on the current environment, but the former is always ready to leave and 
the latter never. The emit operator is ready to leave and the signal emitted is set present in the 
environment]!. 

nothing — — > nothing (nothing) 

halt > nothing (haltj 

E 



-E[S^1], 1 , 

^ nothing {emit) 



E 



Wait 

The semantic of wait is to wait at least one instant. Thus, to express its behavior, we introduce the 
iwait operator. Then, wait s is not ready to leave, and rewrites into iwait s. This rewriting 
behaves like wait s except that it reacts instantaneously to the signal presence. 

-E, . , / ■.\ 

wait s > iwait s (wait) 

E 

[iwaitl) — — {iwmt2) 



E, 1 ^ ' E,0 
iwait s > nothing iwait s >■ iwait s 



In the following, we will denote s ^ 1 the setting of s'value to 1 (^(s) = 1) 
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Present 

The semantic of s ? p : q operator depends on the status of s in the initial environment E. If s 
is present (resp absent) in E, the operator behaves like p (resp q) (rules presentl and present2). 
Otherwise, if s is undefined we cannot progress in the rewriting system (rule presents) and if the 
computation of s internal status results in T, it is an error and this last is propagated (each event is 
set to error in the environment). 

Ep, TERMp . Eq, TERM, , . ^ 

p >■ p', q >■ q', s' €E 

{presentl) 



„ Ep, TERMp , 

s ! p : q > p' 

E 

E,,TERM, , {present2) 

sip : q > q' 

E 



Ep, TERMp , Eg, TERM, , , ^ 

> p', q q', eE 

E E 

o B, „ 

s ! p : q > s ! p : q 



(presents) 



E 

Ep, TERMp , Eg, TERMg , -r- 

p >■ p', q >■ q',s' eE 

(presents) 

si p : q — > si p : q 

E 

Parallel 

The parallel operator computes its two arguments according to the broadcast of signals between both 
sides and it terminates when both sides do. 

Ep, TERMp Eg, TERMg 

P ' V , Q ' Q 

(parallel) 



EpSEg, TERMp.TERMg 

p\\q > p'\\q 



Sequence 



The sequence operator has the usual behavior. While the first argument does not terninate we don't 
begin the computation of the second argument (rule sequencel). When it terminates , we start the 
second argument (rule sequenceT). 

Ep,0 , ^^"^ ^- Eg, TERMg , 
p^^p' nothing, g >q 

(sequencel) Eg,TERMg (sequence2) 

p^ q > p q P^ Q > q 
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Abort 

The behavior of the abort operator first derives the body of the statement. Thus, if the aborting 
signal is present is the input environment, then the statement rewrites in nothing and terminates 
(rule abortl). If it is not, the body of the statement is derived again (rules abort2 and abortS) 



Ep,TERMp , , ^ 
E 

p Is > nothing 

E 



(abortl) 



p ^"'^i nothing, p ^"'^ > p' , ^ E 

^ {aborts) {aborfi) 



PU — ^ nothing pts —^P U 



Loop 

Loop operator never terminates and p* behaves as p J> 

E„.Q , 
p —^P 

{loop) 



Ep, , 
> pr p* 



Local 

Local operator behaves as an encapsulation. Local signals are no longer visible in the surrounding 
environment. 

E„, TERM„ 



— (local) 



, Ef,-{s},TERMp 
p\s >p'\s 



Automata 



Automata are deterministic (i.e VAf G M, 31M M' & T such that cm^m' = !)■ 
The semantic of automata terms relies on macro state semantic. A macro state does not terminate 
within a single reaction. Its duration is at least one instant. Thus, M\p] waits an instant and then has 
the same behavior than p. 

M\p\^p 

If the macro state is only a state without sub term p, then 

M ^' °) nothing 
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Now, we define the rewriting rules for automata A. The evaluation of a condition c G Cond depends 
on the current status of signals in the environment. To denote the current value of a condition we 
will use the following notation: E \= c = b 
Axiom: 

A ^ ^< A, M, M[p] > 

E 

Rewriting rules for automata describe the behavior of a reaction as usual. Thus, we define rewriting 
rules on a 3-uple: < A, M,p >. The first element of the tuple is the automaton we consider, the 
second is the macro state we are in, and the third is the current evaluation of the sub term involved 
in this macro state. 



p ^'■''^^^^^ p'^ VA//' such that M M' e T Ep ^ ^ cm^m' ^ 1 

E 

< A,M,p >^'^< A,M,p' > 

E 

3M' such that M M' G T and ^ cm^M' = ' 



{automatal) 



. , ^ E[s^l\seX(M^M')], , , „ , 1 

< A, M,p ^ ^< A, M', M'[p] > 



{automata2) 



— nothing 



< A,Mf,p > — — > nothing 



(automata^) 



Rule automata^ is the axion to start the evaluation of the automaton. Rule automatal expresses 
the behavior of A automata when all the transition trigger conditions are false: in such a case, the sub 
term associated with the current macro state is derived (whatever the derivation is) and the automata 
does not terminate. On the opposite side, rule automata2 expresses the automata behavior when a 
transition condition becomes true. In such a case, the automata steps to the next macro state specified 
in the condition and the emitted signals associated with the transition are set to 1 in the environment. 
Finally, rule automata'd is applied when the evaluation of the term included in the final macro state 
is over; then the automata computation is terminated. 

The behavioral semantic is a "macro" semantic that gives the meaning of a reaction for each term 
of the LE process algebra. Nevertheless, a reaction is the least fixed point of a micro step semantic 
that computes the output environment from the initial one. According to the fact that the ffl and 
□ operations are monotonic with respect to the < order, we can rely on the work about denotational 

semantic ID to ensure that for each term, this least fixed point exists. Practically, we have p p' 

E 

if there is a sequence of micro steps semantic: 

E\ E2 

P— fPl,Pl— *P2, 

E El 
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At each step — F'^{Ei) , since the Fi functions are some combinations of ffl operator and < 
condition law, they are monotonic and then Vi, -Ei+i r< F'^{Ei). Then, we have E' — U„F"(i?„), 
thus it turns out that E' is the least fixpoint of the family of _F" functions. But, ^ boolean algebra is 
a complete lattice, then so is the set of environments, as a consequence such a least fixpoint exits. 

4 LE Equational Semantic 

In this section, we introduce a constructive circuit semantic for LE which gives us a practical means 
to compile LE programs in a modular way. 

The behavioral semantic describes how the program reacts in an instant. It is logically correct in 
the sense that it computes a single output environment for each input event environment when there 
is no causality cycles. To face this causality cycle problem specific to synchronous approach, con- 
structive semantic have been introduced |2|. Such a semantic for synchronous languages are the 
application of constructive boolean logic theory to synchronous language semantic definition. The 
idea of constructive semantic is to "forbid self -justification and any kind of speculative reasoning 
replacing them by a fact-to-fact propagation". In a reaction, signal status are established following 
propagation laws: 

• each input signal status is determined by the environment; 

• each unknown signal S becomes present if an "emit S"' can be executed; 

• each unknown signal S becomes absent if an "emit S" cannot be executed; 

• the then branch of a test is executed if the signal test is present; 

• the then branch of a test is not executed if the signal cannot be present; 

• the else branch of a test is executed if the signal test is absent; 

• the else branch of a test is not executed if the signal test cannot be absent; 

A program is constructive if and only if fact propagation is sufficient to establish the presence or 
absence of all signals. 

An elegant means to define a constructive semantic for a language is to translate each program into 
a constructive circuit. Such a translation ensures that programs containing no cyclic instantaneous 
signal dependencies are translated into cycle free circuits. Usually, a boolean sequential circuit is 
defined by a set of wires W , a set of registers R, and a set of boolean equations to assign values to 
wires and registers. W is partitioned into a set of input wires /, output wires O and a set of local 
wires. The circuit computes output wire values from input wires and register values. Registers are 
boolean memories that feed back the circuit. The computation of circuit outputs is done accord- 
ing to a propagation law and to ensure that this propagation leads to logically correct solutions, a 
constructive value propagation law is supported by the computation. 
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Constructive Propagation Law 

Let C be a circuit, / its input wire set, i?„ a register valuation (also called a "state") and w a wire 
expression. Following [21, the constructive propagation law has the form : /, i?„ h w ^ 6, 6 is a 
boolean value and the law means that under / and R assumptions, w evaluates to h. The definition 
of the the law is: 



I,Ry^w^b if liw) = b 

I,Ry^w^b if R{w) = b 

I,Rv \- w ^ b if w = e G C, /, h e > 6 

I, Rv \^ w ^ b if w — e,I,Ry\-e^b 

I,Ry \- w ^ 1 if w = e + e', /, i?^, h e ^ 1 or /, Ry h e' ^ 1 

I,Ry\-w^O if w ^ e + e',I,Ry\- e^Oa.ndI,Ry\- e' ^0 

I,Ry \- w ^ 1 if w — e.e', /, i?u h e ^ 1 and /, Ry h e' ^ 1 

I,Ry\~w^O if e.e', I,Ry\- e^O or /, i?^, h e' 

The ^ propagation law is the logical characterization of constructive circuits. Nevertheless, this 
notion also supports two equivalent characterizations. The denotational one relies on three-values 
boolean (Bj^ = {±, 0, 1}) and a circuit C with n wires, input wire set / and registers R is considered 
as a monotonic function C(/, R) : B" — > B" . Such a function has a least fixed point and this latter 
is equal to the solution of the equation system associated to the logical point of view. On the other 
hand, the electric characterization uses the inertial delay model of Brozowski and requires electric 
stabilization for all delays. In [14J . it is shown that a circuit C is constructive for / and R if and only 
if for any delay assignment, all wires stabilize after a time t. The resulting electrical wire values are 
equal to logical propagation application results. 



4.1 Equational Semantic Foundations 

LE circuit semantic associates a specific circuit with each operator of the language. This circuit is 
similar to sequential boolean circuits except that wire values are elements of ^ boolean algebra. As 
a consequence, the equation system associated with such a circuit handles ^ valued variables. As 
already mentioned, solutions of equation system allow to determine all signal status . 
To express the semantic of each statement in LE , we generate a circuit whose interface handles the 
following wires to propagate information and so to ensure synchronization between statements. 

• SET to propagate the control (input wire); 

• RESET to propagate reinit (input wire); 

• RTL ready to leave wire to indicate that the statement can terminate in the reaction (or in a 
further one); 

Wires used to synchronize sub programs are never equal to _L or T. They can be considered as 
boolean and the only values they can bear are true or false. Thus, according to our translation from 
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H 




Figure 1: Circuit semantic for a le statement 



^ to B X B : SETde/ = RESETde/ = RTL^e/ = 1. In the following, we will denote Ps the 
set of synchronization wires of P. Moreover, for statements that do not terminate instantaneously, 
a register is introduced (called ACTIF). Similarly to control wires, ACTIF^e/ = 1- We will denote 
Pr the set of registers of a program P. 

In order to define the equational semantic, we introduce an operator: M that acts on the element of ^ 
whose boolean definition value is 1. Let^jg = {a; e Ckde/ = 1}: 

{X,y) > {l,Xdef-Xval-yval) 

This new operation will be useful to define the product between a real ^ valued signal and a synchro- 
nization wire or register. It is different from operation, since this latter defines a "mux" operation 
and not a product. 

In addition, we introduce a Vre operation on environment in order to express the semantic of op- 
erators that do not react instantaneously. It allows to memorize all the status of current instances 
of events. As already said, an environment is a set of events, but circuit semantic handles wider 
environments than behavioral semantic. In the latter, they contain only input and output events, 
while in equational semantic they also contain event duplication and wires and registers. Let E be 
an environment, we denote E \i the input events of E and E \o the output ones. 

rre{E) = €E, S (^E\i, S (^E\o]y^ {S;,,\S''' ^ E, S E\i, S E\o] 

The Vre{E) operation consists in a duplication of events in the environment. Each event is 
recorded in a new event Sp^^ and the current value of signal S is set to _L in order to be refined 
in the current computation. But, Vre{E) operation does not concern interface signals because it 
is useless, only their value in the current instant is relevant. Moreover, this operation updates the 
registers values: we will denote ACTIF"*" the value of the register ACTIF computed for the next 
reaction. 
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In LE equational semantic, we consider ^-circuits i.e circuits characterized by a set of ^-wires, a set 
of ^-registers and an environment E where ^-wires and ^-registers have associated ^ values. The 
^-circuit schema is described in figure [T| The ^-circuit associated with a statement has an input 
environment E and generates and output environment E' . The environment include input, output, 
local and register status. 

We rely on the general theory of boolean constructiveness previously detailed. Let C be a ^-circuit, 
we translate C into a boolean circuit. More precisely, C — {W, R, E) where is s set of ^-wires 
and R a set of ^-registers. E is composed of a set of equations of the form a; = e in order to compute 
a status for wires and registers. 

Now, we translate C into the following boolean circuit = [W-^ , R^ , D^) where is a set of 
boolean wires, R^ a set of boolean registers and a set of boolean equations. 

= {wdef, Wyai \ w eW} 

R^ = {Wdef, Wval I W e i?} 

= {Wdef = edef, Wyal = Rval \ W ^ e ^ E} 

Cdef and e^ai are computed according to the algebraic rules detailed section [3T| 

Now we define the constructive propagation law (^) for ^-circuits. Let C be a ^-circuits with ICE 

as input wire set and R C E as register set, the definition of the constructive propagation law for C 

is: 

E^w^bb-^I^,R^V- Wdef ^ bbdef and I^,R^h- W^al ^ bb^ai- 

This definition is the core of the equational semantic. We rely on it to compile LE programs into 
boolean equations. Thus, we benefit from BDD representation and optimizations to get an efficient 
compilation means. Moreover, we also rely on BDD representation to implement a separate compi- 
lation mechanism. 

Given P a LE statement. Let C{P) be its associated circuit^ and E be an input environment. A reac- 
tion for the circuit semantic corresponds to the computation of an output environment composition 
of E and the synchronization equations of P. We denote • this composition operation: 

E' ^E»C{P) if and only if sue (P) h w 66, andP'(w) = bb.Mw eEUC{P). 

Now, we define the circuit semantic for each statement of LE . We will denote: {P)^ the output 
environment of P built from E input environment. 

4.2 Equational Semantic of LE Statements 
Nothing 

The circuit for nothing is described in figure [9(a)| in appendix |E] The corresponding equation 
system is the following: 

(nothing) j3 = E • {RTL = SET} 



in what follow, when no ambiguity remains, we will omit the ^ prefix when speaking about ^-circuit. 
^ the equations defining its SET, RESET and RTL wires and the equations defining its registers when it has some 
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Halt 

The circuit for halt is described in figure [9(b)| in appendix|E] The statement is never ready to leave 
instantaneously. 

(halt)jj = E« {RTL = 0} 



Emit 

The emit S statement circuit is described in figure [TO] in appendix |E] As soon as the statement 
receive the control, it is ready to leave. RTL and SET wires are equal and the emitted signal S is 
present in the output environment. We don't straightly put the value of S" to 1 in the environment, 
we perform a ffl operation with 1 in order to keep the possible value T and then transmit errors. 
Moreover, the latter is driven with the boolean value of RTL wire: 

(emit S)^ = (£[5 ^ (1 ffl i{S))]) < RTUai • {RTL = SET} 



Pause 

The circuit for pause is described in figure pT(a)| in appendixlE] This statement does not terminate 
instantaneously, as a consequence a register is created and a Vre operation is applied to the output 
environment: 

/RTL = ACTIF 

^pause/g / re(t.) • < ^Qrpjp+ ^ ^g^rp ^ aCTIF) m ^RESET 



Wait 

The circuit for wait is described in figure [TT(b)| in appendixlE] The wait S statement is very similar 
to the pause one, except that the ready to leave wire is drive by the presence of the awaited signal: 



(wait S')jj = Pre(E) • | 



RTL = ACTIF Kl S 

ACTIF+ = (SET ffl ACTIF) H ^RESET 



Present 

The circuit for Present S'{Pi}else{P2} is described in figure [T2l in appendixlE] Let E be an 
input environment, the SET control wire is propagated to the then operand Pi assuming signal S 
is present while it is propagated to the else operand P2 assuming that S is absent. The resulting 
environment E' is the ffl law applied to the respective outgoing environments of Pi and P2. Let E' 
be {present S'{Pi}else{P2})E' E' is defined as follows: 
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{Pi) E (Sdef ■Sval)S 
{P2) E {Sdef ■Sval)^ 
E M {Sdef-Sval)S 
E M (Sdef-Sval) 



• < 



SETPi 

SETp, 

RESETpi 

RESETP2 

RTL 



SET M (Sdef-Sval) 
SET ■< (Sdef-Sval) 

RESET 
RESET 

RTLp, ffl RTLp, ffl 



(1 < Sdef-Sval) 



Parallel 

Figure [T3] in appendix |E| shows the circuit for Pi||P2. The output environment contains the upper 
bound of respective events in the output environments of Pi and P2. The parallel is ready to leave 
when both Pi and P2 are: 



{Pi\\P2)e = {Pi)e^{P^)e'{ 



SETp, 

SETP2 

RESETpi 

RESETP2 

ACTIF1 + 

ACTIF2+ 

RTL 



SET 
SET 
RESET 
RESET 

(RTLp, ffl ACTIFi) 
RTLP2 ffl ACTIF2) 
(RTLpi ffl ACTIFi) 



^RESET 
^ RESET 

(RTLP2 ffl ACTIF2) 



Sequence 

Figure fT4l in appendix |E] shows the circuit for Pi ^ P2. The control is passed on from Pi to P2: 
when Pi is ready to leave then P2 get the control (equation 1) and Pi is reseted (equation 2) : 



(Pi » P2)e = {Pi)e ffl ({P2) 



{Pl)l 



M RTLpi^^ 



SETpi 

SETp^ 

RESETpi 

RESETp^ 

RTL 



SET 

RTLp,(l) 

RESET ffl RTLp, (2) 

RESET 

RTLp, 



Abort 

The abort statement has for semantic the circuit described in figurefTSlin appendix|E] A register is 
introduced since the operator semantic is to not react instantaneously to the presence of the aborting 
signal: 



(abort P when S')^ = (P)^ • < 



SETp 
RESETp 
RTL 
ACTIF+ 



SET 

(^RESET □ S) ffl RESET 

(^S □ RTLp) m(Sm (SET ffl ACTIF)) 

(SET ffl ACTIF) Kl ^RESET 
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Loop 

The statement loop{P} has for semantic the drcuit described in figure[T6lin appendix|E] The loop 
statement does not terminate and similarly to its behavioral semantic, its circuit semantic is equal to 
the one of P » loop P: 

C SETp = SETfflRTLp ] 
(loopP>g = (P>g • i RESETp = RESET I 
[ RTL =0 J 



Local 

The local S {P} statement restricts the scope of S to sub statement P. At the opposite to interface 
signals, such a signal can be both tested and emitted. Thus, we consider that 5 is a new signal that 
does not belong to the input environment (it always possible, up to a renaming operation). Let SET, 
RESET and RTL be the respective input and output wires of the circuit, the equations of local S 
{P} are: 



{local S {P})^ = (P>^ . < 



SETp 
RESETp 
RTL 
S 



SET 

RESET 

RTLp 



Run{P} 

The circuit for run statement is described in figure[T7]in appendix|El Intuitively, run {P} behaves 
similarly to P if P does not react instantaneously, and to pause || P. Thus, we get the following 
equation systems: 



(run P)^; = VreiE) ffl (P)^ 



SETp 
RESETp 
ACTIF1 + 
ACTIF2 + 
RTL 



SET 
RESET 

(SET ffl ACTIFi) M ^RESET 
(RTLp ffl ACTIF2) Kl ^RESET 
ACTIFi Kl (RTLp ffl ACTIF2) 



Automata 

As already discussed, an automata is a finite set of macro states. A macro state does not react instan- 
taneously, but takes at least an instant. Figure [18] in appendix |E] describes the circuit semantic for 
A{Ai, T, Cond, Alf, O, A). The equational semantic of automata is the following set of equations: 
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MeM 



•u 

MeM 



SETm = ( RTLivii CMj-»M 

Mi^MeT -►MgT 

RESETm = ^ ^ RTLm Cm— ►Mi ) ffl RESET 

M^MigT 

RTL = RTLMf 



where £m is defined by: 



Mi^MeT 



To complete automata circuit semantic definition, we now detail the circuit for macro states. Let M 
be a single macro state (which does not contain a run P instruction), then its associated circuit is 
similar to the one of pause: 



(M)^ = Pre(E) . 



ACTIF+ = (SETm ffl ACTIF) H -.RESETm 
RTLm = ACTIF 



Otherwise, if the macro state M contains a run P instruction, its circuit is the combination of equa- 
tions for single macro state and equations for run operator: 



SETp = ACTIFi 

RESETp = RESETm 

ACTIF1+ = (SETm ffl ACTIFi) Kl ^RESETm 

ACTIF2+ = (RTLp ffl ACTIF2) Kl -.RESETm 

RTLm = ACTIF 1 Kl (RTLp ffl ACTIF2) 



Notice that a register is generated for each state, but in practice, we create only log2n registers if the 
automaton has n states according to the well-known binary encoding of states. 



4.3 Equivalence between Behavioral and Circuit Semantic 

The circuit semantic allows us to compile LE programs in a compositional way. Given a non basic 
statement p Op q (let Op be an operator of le ), then its associated circuit is deduced from (p)^ 
and (q)^ applying the semantic rules. On the other hand, the behavioral semantic gives a meaning 
to each program and is logically correct, and we prove now that these two semantic agree on both 
the set of emitted signals and the termination flag value for a le program P. To prove this equiva- 
lence, we consider a global input environment E containing input events and output events set to _L. 
Considering the circuits semantic, the global envirormient (denoted Ec) is E U Ps U Pr. 
To prove the equivalence between behavioral and circuit semantic, first we introduce a notation: 
let P be a LE statement, SET(P), RESET{P) and RTL{P) will denote respectively the SET, 
RESET and RTL wires of P. Second, we introduce the notion of size for a statement. 
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Defuiition 

We define [P] , the size of P as follows: 

• [nothing] = 1; 

• \ halt] = 1; 

• [emit] = 1; 

• [pause] = 1; 

• [wait] = 1; 

• [present {Pi} else {P2}] = [Pi] + [P2] +1; 
. [Pl||P2] = [Pil + [P2]+l; 

. [Pi > P2] = \P{\ + [P2] +1; 

• [abort {P} when S] = [P] +1; 

• [loop {P}] = [P] +1; 

• [locals' {P}] = \P] +1; 

• [automata(A4,T)] = such that Mi G M +1; 

Theorem. Let P be ahE statement and Eq an input environment, For each reaction, the following 
property holds: 

r(P) Y{P)', where E = Ec - {w\w GPsorwG Pr}; TERM = RTL{P)yai; 

and{P)Ejo=E'\o 

Proof 

We perform an inductive proof on the size of P. Notice that the proof requires to distinguish the 
initial reaction from the others. In this reaction, SET{P) = 1 and it is the only instant when this 
equahty holds. For statement reacting instantaneously, we consider only an initial reaction since 
considering following reactions is meaningless for them. 
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, We perform a proof by induction on the length of P. First, we prove the theorem for basic state- 
ments whose length is 1. According to the previous definition of [], P is either nothing, halt, 
emit, pause or wait. 

1. P = nothing; 

then r(P) = nothing. Following the equational semantic for nothing statement: 

(P)^^ = Ec . {RTL{P) = SET{P)} 

Hence, (P)jjjo = Ec\o = E\o = E'\o. Moreover, RTL{P) = SET{P) = 1 thus 
RTL{PUi = 1; 

2. P = halt; 

then r(P) = halt. Similarly to nothing, (P) fo = E' \o and RTL{P) = thus RTL{P)yai 
= 0; 

3. P = emit S; 

then r(P) = !5. As well in the behavioral rule for ! as in the circuit equations for emit, we set 
the status of signal S' to 1 in the respective environments. From the definition, Ec \o= E\o 
thus obviously, (P)^^ \o= E' \o. Moreover, RTL{P) = SET{P) = 1 thus, RTL{P)yai = 
1. 

4. P = wait S; 

According to the circuit semantic, C(P) has a register wire and we denote it ACTIF{P). The 
equations for wait are: 



{P)e = ^^e(E) . 



RTL{P) = ACTIF(P) Kl S 

ACTIF{P)+ = {SET{P) ffl ACTIF{P)) H -^RESET{P) 



The proof of the theorem falls into two cases: 

(a) ACTIF(P)=0, we are in the initial reaction and then SET{P) = 1 , RESET{P) = 0. 
it is obvious that ACTIF{P)+ = 1. Then ACTIF{P) becomes 1 in the environment 
according to the Vre operation and all output wires keep their status in E'^,. When 
such a reaction occurs, in the behavioral semantic definition, the wait rule is applied. 
Following this rule E' = E. Thus, {P)ec \o= Ec\o= E\o= E'\o, according to the 
Vre operation definition which does not concern output signals. From the equations 
above, we get RTL{P) = whatever the status of S is and then RTL{P)yai = 0; this 
is in compliance with the wait rule. Another situation where ACTIF{P) = is when 
RESET{P) has been set to 1 in the previous reaction. This case occurs only if the wait 
statement is the first part of a operator or the internal statement of an abort operator. 
In both cases, RTL{P) = then RTL{P)yai = = TERM^^p) and in both semantic 
the outgoing environments remain unchanged and then the theorem still holds. 



INRIA 



LE Synchronous Language 



29 



(b) ACTIF(P) = 1 . we are not in the initial reaction. Then, the corresponding rules appUed 
in behavioral semantic are either iwaitl or iwait2 depending of S status in the environ- 
ment. Similarly to item 1, neither iwaitl and iwait2 rules nor Vre operation change 
environment output signals, thus {P)ec \o= E'\o- 

If € Ec then € E since it is either an input signal or a local one for the statement 
and then we apply rule iwaiil, then i?TL(P) ~ 1 and thus i?rL(P)„a; = 1. Otherwise, 

if e Ec, xy^l and ACTIF{P) M S ^ [1, Sdef-S^ai.ACTIF{Py,ai) = (1,0) 
for = 0, _L or T. Thus RTL{P) = and RTL{P)^ai = 0. 

\P^=n 

Now we study the inductive step. Assume that the theorem holds for statement whose length is less 
than n. We study the case where the size of P is n. Then P is either present, ||, l:^, abort, loop, 
local or automata statement. 

1. P = present S {Pi} else {P2}; 

Thus, according to the equational semantic, we know that: 



(A)gj, (Sdef-Sval) 
{P2) < (Sdef-Syal)^ 
Ec ■< (Sdef-Sval) ffl 
Ect < (Sdef-Sval) 



} •{RTL(P) = RTL(Pi)aRTL(P2)a(l ^ Sdef-Svai)} C (P) 



Ec 



On the other hand, r(P) = S Ipi : p2 where pi = r(Pi) and p2 = T(P2)- The behavioral 
semantic relies on the four rules defined in section l372l 

By induction , we know that (Pi) ^^lo^ E[\o and {P2) Ec^o= to where E[ (resp 
E2) is the output environment of pi (resp P2) computed from E input environment, and 
RTL(Pi)yai = TERMp^ and RTL{P2)vai = TERMp^. To prove the theorem for present 
operator, we study the different possible status of S in the input environment (common to both 
semantic). 

(a) If S is present, then Sdef — 1 and Syai — 1- For the output signal valuation, since 
Sdef-Sval — 1 , from the induction hypothesis we deduce that (P) Ec ^0= E'\o- Con- 
cerning the RTL wire and termination flag, if we consider present operator equations, 
since Sdef = 1 and Syai = h we deduce that SET(Pi) = 1 and SET(P2) = 0. 
Thus RTL{P2) — too: either P2 has no register and then its RTL value depends 
straightly of the SET value, or P2 has a register. In this case, its RTL value de- 
pends of register value, but this latter cannot be 1 while the SET value is 0. Thus, 
RTL{P)yai = RTL(Pi)yai = TERMp^ = TERMr(P) with respect to rule preseniO 
in the behavioral semantic. 

(b) If S is absent, the prove is similar with Sdef — 1 and Syai — and according to the fact 
that rule present! is applied from the behavioral semantic. 
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(c) If S status is _L, then Sdef = and 5*^0; = 0. In this case {P) Ec = and E' — E, 
thus the result concerning outputs is obvious by induction. Concerning RTL wires and 
termination flag, since Sdef = thus both SET{Pi) and SET{P2) are and then also 
RTL{Pi) and RTL{P2) are. Thus RTL{P) = and RTL{P)yai = = TERMr(P) 
according to rule presents from behavioral semantic. 

(d) If S has status T, then an error occurs and in both semantic all signals in the environment 
are set to T. In this case, RTL{P) = 1 and according to rule presentA of behavioral 
semantic, RTL{P)yai = TERMr^p) = 1. 

2. P = Pl\\P2, 

Thus, equations for P are the following: 

SET{P) 
SET{P) 

RESET(P) 
RESET{P) 

{RTL{Pi) ffl ACTIFi(P)) H ^RESET{P) 

RTL{P2) ffl ACTIF2{P) Kl ^RESET{P) 
{RTL{Pi) ffl ACTIFi{P)) Kl 

{rtl\p2) ffl actif^Ip)) 



{P}ec = {Pi)ec^{P2)ec" 



SET (Pi) 

SET{P2) 

RE SET (Pi) 

RESET{P2) 

ACTIFi(P)+ 

ACTIF2(P)+ 

RTL{P) 



In PLE process algebra, r(P) = pi||p2, where pi = r(Pi) andp2 = r(P2)- We recall the 
parallel rule of behavioral semantic for ||: 

E[,TERMp^ E'^,TERMp^ 
Pi = ' P2 . P2 ' P2 

E'^Be:^, TERMp^ .TERMp2 
P ' Pi \\P2 

By induction , we know that {Pi) Ec ^o= E'l \o and {P2) Ec ^0= E'2 \o and RTL{Pi)yai = 
TERMp, and RTL{P2)vai = TERMp^. 

Both equational and behavioral semantic perform the same ffl operation on the environments 
resulting of the computation of the respective semantic on the two operands. Thus, the result 
concerning the outputs is straightly deduced from the induction hypothesis. 

Concerning the RTL wire, {RTL{Pi) M RTL{P2)),ai = {RTL{Pi)yai-RTL{P2)yai by 
definition of Kl operation and according to the fact that RTL{Pi)def = RTL{P2)def = l,and 
by induction RTL{P)yai = TERMp^.TERMp^ = TERMr(p). 

3. P = Pi » P2; 

The equations for 3> operator are the following: 

' SET{Pi) = SET{P) 

SET{P2) = RTL{Pi){l) 

RESET{Pi) = RESET{P)mRTL{Pi){2) 

RESET{P2) = RESET{P) 

RTL(P) = RTL(P2) 



{P)ec = iP^)Ec^i{P2)iP,)^ RTL{P,)).< 
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In PLE process algebra, V{P) = pi ^ P2 where pi = T{Pi) and p2 = r(P2). 
The proof depends of the value of RTL{Pi) in the equational semantic: 

(a) RTL{Pi) = 0; 

E'TERM„, , , ^ 

By induction we know that pi ^ p[ and TERMp^ = RTL{Pi)yai = 0. 

E 

Then, in the behavioral semantic , rule sequencel is applied. Thus, TERMy(p) = 
and E' = E'^^. In the equational semantic, SET{P2) = RTL{Pi) thus SET{P2) = 
andsois J?TI,(P2) (seetheproofofpresentoperator)andi?TL(P)too. RTL{Pi)yai = 
and according to < definition, ((P2)(p^)^ < RTL{Pi)) = Ej_. Thus, (P)^^ = 

{Pi)e(. •C(P), and {P)ec \o= {Pi)ec ^o- On the other hand, in behavioral semantic, we 
have E' \o= E'^^ . Thus, from induction hypothesis, we deduce that: {P)ec \o= E' \o. 

(b) RTL{Pi) = 1; 

In this case, TERMp^ = RTL{Pi)^ai = 1 and rule sequenceJl is applied in the 
behavioral semantic. By induction, we know that TERMp^ = RTL(P2)val- But, 
RTL{P) = RTL{P2) then RTL{P)^ai = TERMp. For environments. By induction, 
we also know that {Pi) \o— E'p^ \o- In both semantic, the only way to change the 
value of an output signal in the environment is with the help of the emit operator. Then, 
if the status of an output signal o change in {Pi) because P2 involves an emit o 
instruction. Hence, relying on the induction hypothesis, we know that o has the same 
status in (Pi)^^ and in Ep_^ . But, a status cannot be changed in two different ways in 
(P) and E' since emit operator performs the same operation on envirormients in both 
semantic. 

4. P = abort Pi when S; 

Thus, the output envirormient is the solution of the following equations: 

(SET (Pi) = SET{P) 

RESET{Pi) = {^{RESET{P) □ S) ffl RESET{P) 

RTL{P) = {^SBRTL{Pi))m{Sm{SET{P)mACTIF{P))) 

ACTIF(P)+ = ISET(P) ffl ACTIF{P)) Kl ^RESET{P) 



r(P) = pi T s where pi = r(Pi). 

First, notice that in abortl, ahort2 and aborts of behavioral semantic, the output environment 
E' is E'p^ . Similarly in the equational semantic E'q is improved by the set of connexion 
wire equations for abort statement. Then, applying the induction hypothesis, we can deduce 
E'\o= {P)eM 

Now, we prove that termination wire coincides with termination flag in respective equational 
and behavioral semantic. We study first the case where we S is present and then the case when 
it is not. 
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(a) 51 G E- 

Thus, e Ec too. In this case, RTL(P) = SET{P) ffl ACTIF{P). In the initial 
reaction SET(P) = 1 and AC'TIF(P) = and in further reaction SET{P) = 
and ACTIF{P) = 1. Then, in all reactions RTL{P) = 1. On the other hand, 
it is rule abort! that is applied in behavioral semantic and thus RTLp = 1. Hence, 
RTL{P)^ai = TERM,,. However, ACTIF{P) can become 0. But, that means that 
in a previous reaction RESET{P) = 1 and P is encompassed in a more general state- 
ment Pg which is either another abort or a sequence statement since there are the only 
operators that set the RESET wire to I . If Pg is an abort statement, its abortion signal 
is 1 in the input environment and then we are in one of the previous case already studied. 
Otherwise, that means that P is encompassed in the first operand of Pg whose RTL is 
1 and we can rely on the reasoning performed for sequence operator to get the result we 
want. 

(b) ^ E; Thus, ^ Eq too. If we expand the value of S in the RTL equation, we get 
RTL{P) = RTL{Pi). In the behavioral semantic either rule abortl or abort2 is applied 
according to the value of TERMp^ . But, whatever this value is, by induction we get the 
result. 

5. P = loop { Pi }; 
Thus, 

C SET{Pi) = SET{P)mRTL{Pi) \ 
{P}^^ = (P,)^^.\ RESET(P^) = RESET{P) \ 
[ RTL{P) = J 

r(P) = r(Pi)* and rule loop is applied in the behavioral semantic to compute the reaction 
of r(P). According to this latter, pi* > pi :$> pi* when pi > p^. By 

E E 

induction, we know that {Pi)e^ fo= E'^^ \o thus {P)ec = ^'lo and RTL{P) = thus 
RTL{P)^ai = = TERMr(P). 

6. P = local 5 {Pi}; 

According to the equational semantic, the following equations defined the local operator: 



SET{Pi) = SET{P) 

RESET{Pi) = RESET(P) 

RTL{P) = RTL(Pi) 

S = _L 



In PLE process algebra r(P) = pi\S where r(Pi) = pi. local rule is applied in the 

E[-{S},TERMp^ E[,TER,Mp-^ 

behavioral semantic: T(P) > \S when pi > p\ . Following the 

^ ' E ^ ^ EU{S} 

induction hypothesis, (Pi)^^ to= \o and RTL{Pi)yai = TERMp^. 

Then (Pi)^^ - {S'}ro= E'^^ \o -{S} and {P)^^ \o= E'\o, straightly from the induction 
hypothesis. 
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7. P = run {Pi} 

The run operator is not a primitive one, and we defined it as: wait tick ^ Pi. Thus, the 
property holds for run operator since it holds for both wait and || operators. 

8. P = A{M,T,Cond,Mf,0,\). 

Automata are both terms in PLE process algebra and programs in LE language. The equations 
for automata are the following: 

( RTL{Mi) 

Mi->MeT 

iSET{P)^ J2 c^m) 

^Mgr 
J2 RTL{M) 

RESET{P) 
RTL{Mf) 

where £m is defined by: 

E[s^l< c^M I s e M)] -4 ^ c^m) ffl 

ii^i}Els^lMcMi^M I seX(Mi^M)]) CMi^M 

First of all, let us consider macro states. These latter are either single macro states equivalent 
to a pause statement, or they contains a run P instruction and then are equivalent to a pause 
» P instruction. In both cases, we have already prove that the theorem holds. Now, to prove 
the theorem for automata, we perform an inductive reasoning on the sequence of reactions. 

In the first reaction SET{P) = 1. All the RTL{M) are 0, since macro states have at least 
a one instant duration, thus RTL{P)yai = 0. On the other side, in behavioral semantic, rule 
automaton^ is applied and TERMp = too. 

For envirormients, for each macro states M, in the first reaction 

£m = Ec[s ^ 1 when c^m = 1 and s e X{-^ M) and ^ M e 7] 

When looking at equations related to M, we see that no output signal status can be modified 

in the first reaction: either it is a single macro state and then no output signal is modified 
whatever the reaction is, or it contains a run Pq statement but SET{Po) cannot be true in 
the initial reaction and so no output signal status can't be modified (the only operator that 
modified output status is the emit one, and if the SET wire of an emit statement is not 1, the 
status of the emitted signal remains unchanged). Thus, as well the behavioral semantic in rule 
automata^ as the equational semantic set to 1 in their respective envirormient output signal 
emitted in the initial transitions that teach M. Hence, Ec \o= E \o. 



{p)e, = E (^).M • U 



SET{M) 



RESET{M) 



RTL(P) 
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Now, we consider that the result is proved for the previous n reactions, and we prove the 
result for the n + 1 reaction. In this reaction, for each macro state M ^ Mf, if there is no 
transition Mi — > M such that CMi^M =1, then £m ~ Ec^ where Eq^ in the environment 
obtained after the previous n reactions. Thus, {M)^^^ is £'c„ •C(A/) where C{M) is the set of 
equations related to macro state A/. In the behavioral semantic, it is rule automatonl which 
is applied and thus relying both on induction hypothesis ensuring that Ec„ \o= En \o on 
the fact that the theorem is true for macro state, we deduce the result. Concerning the TERM 
flag, as M is not final, SET{Mf) = and so is RTL{Mf). Hence, RTL[P) = 0, thus 
RTL{P)^ai = too and RTLr(p) too (cf rule automatonl). On the other hand, if there is a 
transition Mi M such that cmi^m ~ 1, £m = £'c„ H i^^i) Ec [s^i \se\(M-^M)]- there 
is a transition Mk M such that cm^^m =1- thus similarly to the case where n= 1, we have 

£m = Ec„ [s ^ 1 when cm^^m = 1 and s e \{Mk M) and — > M G T] 

Since Ec,^ is the resulting environment of the previous instant, we know that _Ec„ \o = En \o 
On the other hand, it is rule automaton2 that is applied in the behavioral semantic and the 
output environment is modified in the same way for both semantic. Similarly to the first 
instant, equations for M cannot modified the environment the first instant where SETm is 1 . 
Then, Ec„^-^ \o= En+i \o- In this case RTL{Mf) is still , thus RTL{P) = and so is 
RTL{P)vai- Hence, according to rule automaton2, result for TERM flag holds. 

Now, we will consider that there is a transition Mk — > Mf such that c^^^Mj = 1 El In 
this case, a similar reasoning to the case where M is not a final macrostate concerning out- 
put environments holds. For termination flag, in equational semantic, RTL{P) = 1 when 
RTL{Mf) = 1. A similar situation holds for behavioral semantic where it is rule automata^ 
which is applied. Then, the result is deduced from the general induction hypothesis since the 
size of macro states is less than the size of automata from the definition. 

5 LE Modular Compilation 
5.1 Introduction 

In the previous section, we have shown that every construct of the language has a semantic expressed 
as a set of ^ equations. The first compilation step is the generation of a ^ equation system for each 
LE program. According to the semantic laws described in section|4] Then, we translate each ^ circuit 
into a boolean circuit relying on the bijective map from ^-algebra to IB x IB defined in section |3] 
This encoding allows us to translate ^ equation system into a boolean equation system (each equation 
being encoded by two boolean equations). Thus, we can rely on a constructive propagation law to 
implement equation system evaluation and then, generate code, simulate or Unk with external code. 
But this approach requires to find an evaluation order, valid for all synchronous instants. Usually, 

'the demonstration is the same when the transition is initial (i.e Mf = 1) 
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in the most popular synchronous languages existing, this order is static. This static ordering forbids 
any separate compilation mechanism as it is illustrated in the following example. Let us consider 
the two modules first and second compiled in a separate way. Depending on the order chosen 
for sorting independant variables of each modules, their parallel combination may lead to a causality 
problem (i.e there is a dependency cycle in the resulting equation system). 



module first: 

Input: 11,12; 
Output: 01,02; 
loop { 

pause » 

( 

present II {emit 01 } 

II 

present 12 {emit 02} 
1 

end 



module second: 

Input: 13; 
Output: 03; 
loop { 

pause » present 13 {emit 03} 

} 

end 



module final: 

Input: I; 
Output O; 
local L1,L2 { 

run first[ L2\11,0\01,1\I2,L1\02] 

II 

run secondi L1\I3,L2\03] 

1 

end 
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Figure 2: Causality cycle generation: Ol, 02 and 03 signals are independent. But, when choosing a 
total order, we can introduce a causality cycle. If ordering (1) is chosen, in module final, taking into 
account the renaming, we obtain the system: { LI = I, L2 = LI, O = L2 } which is well sorted. At 
the opposite, if we choose ordering (2), in module final we get: { L2 = LI, O = L2,L1 = I } which 
has a causality cycle. 

Figure |2] describes a LE module calling two sub modules. Two compilation scenarios are shown 
on the right part of the figure. The first one leads to a sorted equation system while the second 
introduces a fake causality cycle that prevents any code generation. Independent signals must stay 
not related: we aim at building an incremental partial order. Hence, while ordering the equation 
system, we keep enough information on signal causality to preserve the independence of signals. 
At this aim, we define two variables for each equation, namely {Early Date, Late Date) to record 
the level when the equation can (resp. must) be evaluated. Each level is composed of a set of 
independent equations. Level characterizes the equations evaluated first because they only depend 
of free variables, while level n+1 characterizes the equation needed the evaluation of variables from 
lower levels (from n to 0) to be evaluated. Equations of same level are independent and so can 
be evaluated whatever the chosen order is. This methodology is derived from the PERT method. 
This latter is well known for decades in the industrial production. Historically, this method has 
been invented for the spatial conquest, back to the 60th when the NASA was facing the problem of 
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synchronizing 30,000 independent, thus "concurrent", dealers to built the Saturne V rocket. 



5.2 Sort algorithm: a PERT family method 

Usually, the PERT method is applied in a task management context and each task has a duration. In 
our usage, taking account duration of task makes no sense and the algorithm we rely on to implement 
the PERT method is simplified. It is divided into two phasis. The first step constructs a forest where 
each tree represents variable dependencies. Thus an initial partial order is built. The second step is 
the recursive propagation of early and late dates. If during the propagation, a cycle is found there 
is a causality cycle in the program. Of course the propagation ends since the number of variables is 
finite. At worst, if the algorithm is successful (no causality cycle is found), we can find a total order 
with a single variable per level (n variables and n levels). 



5.2.1 Sorting algorithm Description 

More precisely, the first step builds two dependency sets {upstream, downstream) for each variable 
with respect to the equation which defines it. This first algorithm is detailed in appendix lB.il The 
upstream set of a variable X is the set of variables needed by X to be computed while the down- 
stream set is the variables that need the value of X to be evaluated. In practice, boolean equation 
systems are implemented using binary decision diagrams (BDDs). Consequently the computation of 
the downstream table is given for free by the BDD library. 



a = X + y 
b = X + not z 
c = a + t 
d = a + c 
e = a + t 

(a) Equation sys- 
tem 



downstream dependaiice 



upstream depetidance 




(b) Dependences forest 




d late propagation 




(c) Date propagation 



Figure 3: The dependence forest and propagation law application for a specific equation system. The 
different pert levels are specified on the left hand side of figure [3(c)| 

We illustrate, the sorting algorithm we built on an example. Let us consider the set of equations ex- 
pressed in figure [3(a)l After the first step, we obtain the dependencies forest described in figure [3(b)] 
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Then, we perform early and late dates propagation. Initially, all variables are considered indepen- 
dent and their dates {early , late) are set to (0,0). The second step recursively propagates the Early 
Dates from the input and the register variables to the output variables and propagates the Late Dates 
from the output variables to the input and the register ones according to a n log n propagation algo- 
rithm. The algorithm that implements this second phasis is detailed in appendix lB.2l Following the 
example presented in figure [3(a)l the algorithm results in the dependencies described in figure [3(c)| 

5.2.2 Linking two Partial Orders 

The approach allows an efficient merge of two already sorted equation systems, useful to perform 
separate compilation. To link the forest computed for module 1 with the forest computed for mod- 
ule 2, we don't need to launch again the sorting algorithm from its initial step. In fact, it is sufficient 
to only adjust the early{late) dates of the common variables to both equation systems and their 
dependencies. Notice that the linking operation applies ^-algebra plus operator to merge common 
equations (i.e equations which compute the same variable). Then, we need to adjust evaluation dates: 
every output variable of module 1 propagates new late date for every downstream variables. Con- 
versely, every input variable of module 2 propagates new early date for every upstream variables. 

5.3 Practical Issues 

We have mainly detailed the theoretical aspect of our approach, and in this section we will discuss 
the practical issues we have implemented. 

5.3.1 Effective compilation 

Relying on the equational semantic, we compile a LE program into a i^-algebra equation system. We 
call the compilation tool that achieves such a task CLEM (Compilation of LE Module). In order to 
perform separate compilation of LE programs, we define an internal compilation format called LEG 
(LE Compiled code). This format is highly inspired from the Berkeley Logic Interchange Format 
(blifH). This latter is a very compact format to represent netlists and we just add to it syntactic 
means to record the early date and late date of each equation. Practically, CLEM compiler, among 
other output codes, generates LEC format in order to reuse already compiled code in an efficient way, 
thanks to the PERT algorithm we implement. 

5.3.2 Effective Finalization 

Our approach to compile LE programs into a sorted ^ equation system in an efficient way requires to 
be completed by what we call a finalization phasis to be effective. To generate code for simulation, 
verification or evaluation, we must start from a valid boolean equation systems, i.e we consider only 
equation systems where no event has value T, since that means there is an error an we propagate 
this value to each element of the environment in the semantic previously described. Validity also 
means well sorted equation systems, to avoid to deal with programs having causality cycle. But in 

*http : / /embedded . eecs . berkeley . edu/ Re search /vis 
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our approach we never set input event status to absent. Hence, we introduce afinalization operation 
which replaces all ± input events by absent events and propagates this information in all equations 
related to local variables and outputs. Notice that the finalization operation is harmless. The sorting 
algorithm relies on propagation of signal status, and the substitution of ± by absent cannot change 
the resulting sorted environment. 

Let us illustrate the finaUzation mechanism on an example. In the following code Ol and 02 depends 
on the I status: 

loop { 

present I {emit 01} else {emit 02} 
>> pause 

} 

Before finalization, we get the following equation system: 

Oldef = Idef 
Olval = Ival-Idef 
02def — Idef 

We can see that Oldef and 02def are not constant because / is not necessarily defined for each 
instant (i.e Idef can be if / is IS). After finalization Idef is set to 1 and lyai remains free. According 
to the mapping from ^ algebra to IB x B, an event X such that Xdef = is either T or ±. Since, 
we discard equation systems where an event has value T, To switch from ± value to absent value, 
it is sufficient to set the def part of a variable to 1. Now for each logical instant the status (present, 
absent) of I is known. The Ol and 02 equations become: 

Oldef = 1 
O^val — ^val 
02def = 1 
02yal ~^Ival 

We bring together compilation and finaUzation processus in a tool named CLEF(Compilation of LE 
programs and Finalization). 

5.3.3 Compilation scheme 

Now, we detail the toolkit we have to specify, compile , simulate and execute LE programs. A LE 
file can be directly written. In the case of automaton, it can be generated by automaton editor like 
galaxy too. Each LE module is compiled in a LEC file and includes one instance of the RUN module 
references. These references can be already compiled in the past by a first call of the clem compiler. 
When the compiled process will done, the finalization will simplify the final equations and generate 
a file in the target use: simulation, safety proofs, hardware description or software code. That is 
summed up in the figure ID 
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automaton 

editor 
(like galaxy) 



LE generated codes LE human codes 



already compiled LEC 




COMPILER and LINKER 



FINALISER 



simulation hardware software software 



formal proofs descriptions codes models 

I .1.. I \ 



TARGETS 



blif 



vhdl 



esterel,lustre 



Figure 4: Compilation Scheme 
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5.4 Benchmark 

To complement the experimentation of the example, we have done some tests about the CLEM com- 
piler. So we are interested in the evolution of the generated code enlarging with respect to the number 
of parallel processes increasing. A good indicator is the number of generated registers. Indeed, with 
n registers, we can implement 2" states in an automaton. 
The chosen process is very simpler, not to disturb the result: 

module WIO: 

Input: I; Output: 0; 

wait I >> emit 

end 

which waits the I signal and emits the signal O one time as soon as I occurs. Here is the obtained 
table by the figure |5] 




Figure 5: Evolution of the Registers number 

The relation between numbers of processes and number of registers seems to be linear, that is an 
excellent thing! The linear observed factor of 5 is only characterized by the equational semantic of 
parallel and run statements. In a next equationnal semantic, this number should be reduced. 

6 Example 

We illustrate LE usage on an industrial example concerning the design of a mecatronics process 
control: a pneumatic prehensor We first describe how the system works. Then we present the 
system implementation with LE language. Finally, simulation and verification are performed. 

6.1 Mecatronics System Description 

A pneumatic prehensor takes and assembles cogs and axes. The physical system mainly consists 
of two double acting pneumatic cylinders and a suction pad. This example has been taken as a 
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benchmark by an automation specialist grou|0, to experiment new methods of design and analysis 
of discrete event systems. The (U cycle) kinematics of the system is described in Figl6] Note that 
the horizontal motion must always be done in the high position. 



move forward 

move backward 
move downward 
cog source 



waiting position 
^ 



' without suction 

with suction 



cog assembling 



Figure 6: A pneumatic prehensor 

The horizontal motion pneumatic cylinder is driven by a bistable directional control valve (bistable 
DCV). The associated commands are MoveFor (short for move forward) and MoveBack (short 
for move backward). The vertical cylinder is driven by a monostable directional control valve 5/2 
whose active action is MoveDown (move downward). In the absence of activation, the cylinder 
comes back to its origin position (high position). The suction pad (SuckUp command) is activated 
by a monostable DCV (the suction is done by a Venturi effect). 



forward 
backward 

upward 
downward 
startCycle 



control 



time 
management 



MoveFor 

MoveBack 

MoveDown 

SuckUp 

EndCycle 



Figure 7: Input/output signals 



6.2 Mecatronics System LE Implementation 

In what follow we consider the control part of the system. Fig|7]gathers incoming information (from 
the limit switches associated with the cylinders) and outgoing commands (to the pre-actuators). To 
implement this application in LE language, we adopt a top down specification technique. At the high- 
est hierarchical level , the controller is the parallel composition of an initialization part followed by 
the normal cycle running and a temporisation module. This last is raised by a signal start_tempo 
and emits a signal end_tempo when the temporisation is over Of course, these two signals are not 
in overall interface of the controller, they are only use to establish the communication between the 
two parallel sides. The following LE program implements the high level part of the controller: 

module Control: 

"^http : / / www . lurpa. ens-cachan. fr/ cosed 



RR 11° 6424 



42 



Gaffe & Ressouche & Roy 



Input : forward, backward, upward, downward, 
StartCycle; 

Output : MoveFor, MoveBack, MoveDown, SuckUp, 
EndCycle ; 

Run: " . /TEST/control/ " : Temporisation; 
" . /TEST/control/" : NormalCycle; 

local start_tempo, end_tempo { 
{ wait upward >> emit MoveFor 

>> wait backward >> run NormalCycle 

} 

I 

{ run Temporisation} 

} 

end 

The second level of the specification describes temporisation and normal cycle phasis. Both Tem- 
porisation and NormalCycle modules are defined in external files. Temporisation module performs 
a delaying operation (waiting for five successive reactions and then emitting a signal end_tempo. 
The overall LE code is detailed in appendix [C] In this section, we only discuss the NormalCycle 
module implementation. NormalCycle implementation is a loop whose body specifies a single cy- 
cle. According to the specification, a single cycle is composed of commands to move the pneumatic 
cyUnders with respect to their positions and a call to a third level of implementation (Transport) to 
specify the suction pad activity. 

module Transport : 

Input: end_tempo, upward, forward, downward; 
Output: MoveFor, MoveDown, SuckUp; 

local exitTransport { 

{ emit MoveDown >> wait end_tempo 
>> wait upward >> emit MoveFor 
>> wait forward >> emit MoveDown 
>> wait downward >> emit exitTransport 

} 

I 

abort 

{ loop { pause >> emit SuckUp } } 
when exitTransport 

} 
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end 

module NormalCycle : 

Input: StartCycle, downward, upward, backward, 

forward, end_tempo; 
Output: start_tempo, MoveDown, MoveBack, 

MoveFor, SuckUp, EndCycle; 

{ present StartCycle { nothing} else wait StartCycle} 
» 

{ 

loop { emit MoveDown 

>> wait downward >> emit start_tempo 

>> run Transport 

>> wait upward >> emit MoveBack 

>> wait backward >> emit EndCycle } 

} 

end 

To compile the overall programs, we performed a separate compilation: first, Temporisation and 
NormalCycle modules have been compiled and respectively saved in lec format file. Second, the 
main Control module has been compiled according to our compilation scheme (see figure|4]i. 

6.3 Mecatronics System Simulation and Verification 

To check the behavior of our implementation with respect to the specification, we first simulate it and 
then perform model-checking verification. Both simulation and verification relies on the generation 
of b 11 f format from clem compiler. 

Figure [8] shows the result of Control simulation with a graphical tool we have to simulate blif format 
modules. 

On another hand, to formally prove safety properties we rely on model checking techniques. In 
this approach, the correctness of a system with respect to a desired behavior is verified by check- 
ing whether a structure that models the system satisfies a formula describing that behavior. Such 
a formula is usually written by using a temporal logic. Most existing verification techniques are 
based on a representation of the concurrent system by means of a labeled transition system (LTS). 
Synchronous languages are well known to have a clear semantic that allows to express the set of 
behaviors of program as LTSs and thus model checking techniques are available. Then, they rely on 
formal methods to build dependable software. The same occurs for LE language, the LTS model of 
a program is naturally encoded in its equational semantic. 

A verification means successfully used for synchronous formalisms is that of observer monitoring 
ifTOl . According to this technique, a safety property can be mapped to a program D, which runs 
in parallel with a program P and observes its behavior, in the sense that at each instant D, reads 
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Figure 8: Control module simulation panels 
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both inputs and outputs of P. If O detects that P has violated </> then it broadcasts an "alarm" signal. 
As a consequence, we can rely on model checking based tools to verify property of le language. 
But, our approach provides us with separate compilation and requires to be completed by a mod- 
ular verification. We aim at proving safety properties are preserved through le language operator 
application. 

To verify that the suction is maintained from the instant where the cycle begins up to the cycle ends, 
the following observer can be written in le . 

module CheckSuckUp; 
Input SuckUp, S; 

Output exitERROR; 
present SuckUp 



end 

module SuctionObs: 

Input : forward, backward, upward, downward, 
StartCycle, Output :MoveFor, MoveBack, 
MoveDown, SuckUp, EndCycle ; 

Output : ERROR; 

local exitERROR { 
abort { 
loop { 

present StartCycle {nothing} 

else {wait StartCycle} >> 
present MoveDown {nothing} 



{ present S {nothing} else {wait S}} 
else {pause>>emit exitERROR} 



present 



else {wait MoveDown} >> 
downward {nothing} 

else { wait downward} >> 



present 



MoveDown {nothing} 
else { present SuckUp 



{run CheckSuckUp [upwardXS ] >> 

run CheckSuckUp [MoveForXS] >> 

run CheckSuckUp [ forwardXS ] >> 

run CheckSuckUp [MoveDown\S] >> 
wait downward 



else {emit exitERROR} 



when exitERROR >> 



emit ERROR 
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} 

end 

To specify the observer we first define a module (CheckSuckUp) which checks wether the signal 
SuckUp is present and goes in the state where signal S is present. If SuckUp is absent , exitERROR 
is emitted. Calling this module, the observer tests the presence of signal SuckUp in each possible 
states reached when cylinders move. 

To achieve the property checking, we compile a global module made of the Control module in 
parallel with the SuctionObs module and we rely on model checker to ensure that ERROR is never 
emitted. By the time, we generate the BLIF format back end for the global module and we call 
xeve model-checker \A\ to perform the verification. In the future, we intend to interface NuSMV 
Q model-checker. 

The chosen example is a very simple one but we hope understandable in the framework of a paper. 
Nevertheless, we compiled it globally and in a separate way. The global compilation takes about 2.7 
s while the separate one takes 0.6 s on the same machine. We think that it is a small but promising 
result. 

7 Conclusion 

In this work, we have presented a new synchronous language LE that supports separate compilation. 
We defined its behavioral semantic giving a meaning to each program and allowing us to rely on 
formal methods to achieve verification. Then, we also defined an equational semantic to get a means 
to really compile programs in a separate way. Actually, we have implemented the clem /clef 
compiler This compiler is the core of the design chain (see section |5".3.3t we have to specify control- 
dominated process from different front-ends: a graphical editor devoted to automata drawing, or 
direct LE language specification to several families of back-ends: 

• code generation: we generate either executable code as C code or model-driven code: Esterel, 
Lustre code for software applications and Vhdl for harware targets. 

• simulation tools: thanks to the blif format generation we can rely our own simulator {blif_simul) 
to simulate LE programs. 

• verification tools: BLIF is a well-suited format to several model-checkers(xeve, sis) and has its 
automata equivalence verifier (blif2autom, blifequiv). 

In the future, we will focus on three main directions. The first one concerns our compilation method- 
ology. Relying on an equational semantic to get modular compilation could lead to generate ineffi- 
cient code. To avoid this drawback, we plan to study others equational semantic rules (in particular 
for parallel and run statements) more suited for optimization. The second improvement we aim at, is 
the extension of the language. To be able to deal with control-dominated systems with data (like sen- 
sor handling), we will extend the syntax of the language on the first hand. On the other hand, we plan 
to integrate abstract interpretation techniques (hke polyhedra intersection, among others) t6J to take 
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into account data constraints in control. Moreover, we also need to communicate with signal process- 
ing or automation world through their specific tool Matlab/Simulink (http://www.mathworks.com). 
Another language extension is to allow a bound number of parallel operators. This extension is 
frequently required by users to specify their applications. Semantic rules for this new bound paral- 
lel operator cannot be straightly deduced from the actual rules we have, and require a deep change 
but then would improve LE expressiveness. Finally, we are interested in improving our verification 
means. The synchronous approach provides us with well-suited models to apply model checking 
techniques to LE programs. The more efficient way seems to directly interface a powerful model- 
ckecker (as NuSMV |5 1) and to be able to run its property violation scenarios in our simulation tool. 
Moreover, our modular approach opens new ways to modular verification. We need to prove that LE 
operators preserve properties: if a program P verify a property </>, then all program using P should 
verify a property (p' such that the "restriction" of 4>' to P implies 0. 
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A LE Grammar 

In this appendix, we describe the complete grammar of the le language. That description supports 
the following agreements: 

• <> notation represents tokens, for instance <module> represents the name module; 

• two specific tokens are introduced: IDENT for identifier and STRING to denote a usual string; 

• the notation * and + are used for repetition: signal _name-k means a number of signaljname, 
possibly 0,while signal_name+ means at least one occurrence; 

• the single charater are straighly written (as {,},[,], and \). 

• the character # denotes the empty word; 

program: <module> module_name ':' module_interf ace module_body <end>; 
module_interf ace : input_signal_list output_signal_list run_decl_list ; 

input_signal_list : # | <Input:> signal_name+ ';' ; 

output_signal_list : # | <Output : > signal_name+ ';' ; 
run_decl_list : # 1 <Run:> run_declaration+ ; 
run_declaration : path ':' module_name; 

module_body : instruction | automaton ; 

instruction : statement | ' {' instruction ' }' ; 

statement : parallel 
I sequence 
! present 
I loop 
I wait 
I emit 
I abort 
I nothing 
I pause 
I halt 
! local 
I run 

instruction ' | | ' instruction ; 

instruction '>>' instruction ; 
<present> xi_expression instruction <else> instruction ; 



parallel : 
sequence : 
present : 
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loop 
wait 



<loop> ' {' instruction ' }' 
<waitL> signal_name ; 



emit : <einit> signal_name ; 

abort : <abort> '{' instruction '}' <when> signal_name ; 
pause : <pause> ; 
nothing : <nothing> ; 
halt : <halt> ; 

local : <local> signal_name+ '{' instruction '}' 
run : <run> module_name renaming ; 
renaming : # | ' [' single_renaming+ ']' ; 
single_renaming : signal_name '\' signal_name 

automaton : <automaton> state+ transition_def ; 

state : <state> state_name opt_f inal opt_run action ' ; ' ; 

opt_run : # | run ; 

transition_def : <transition> transition+ ; 

transition : opt_initial opt_final opt_source_state trigger action opt_target_state ; 

opt_source_state : # | state_name; 

opt_target_state : # | '->' state_name; 

opt_initial : # | <initial> ; 

opt_final: # | <initial> ; 

trigger: # | xi_expression ; 

action: # | '/' signal_name+ ; 

xi_expression : xi_expression <or> xi_expression 



xi_expression <and> xi_expression 
<not> xi_expression 
' {' xi_expression ' }' 
signal_name 



signal_name : 
module_name : 
path : STRING; 



IDENT; 
I DENT; 
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B PERT Algorithms 

B.l First Step of PERT ALGORITHM 

The following algorithm is the first step of the overall PERT algorithm we implement. It builds a 
forest of variable dependency trees. 

for each equation xi=f i ( . . . , x j , . . . ) 

begin 

for all j needed by fi 
begin 

Upstream[i] . add ( j ) ; 

Downstream [ j ] .add(i) 

end 

end 

B.2 Second Step of PERT Algorithm 

The second step of the PERT algorithm we implement consists in the propagation of the Early Dates 
from the inputs and the registers, to the outputs. Similarly, the Late Dates are propagated from the 
outputs to the inputs and the registers according to the following algorithm: 

for each variable id i 
begin 

if (Upstream [ i] = empty set) 
begin 

/* final output */ 

late [i] =0 

for each j in Downstream [ i ] 
begin 

late_propagation ( j , 1 ) 

end 

end 

if (Downstream [ i] = empty set) 
begin 

/* real input or constante */ 
early [i] =0 

for each j in Upstream [i] 
begin 

early_propagation ( j , 1 ) 

end 

end 

end 

function late_propagation (id, date) 
begin 
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if (late [id] < date) 
begin 

late [ id] =date 

for each j in Dowstream [ id] 
begin 

late_propagation ( j , date+1 ) 

end 
end 
end 

function early_propagation (id, date) 
begin 

if (early [id] < date) 
begin 

early [id] =date 

for each j in Upstream[id] 

begin 

early_propagation ( j , date+1 ) 

end 
end 
end 
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C LE Control Example Code 

In this appendix, we detail the LE code for the Control example described in section|6] 

C.l Control Module Specification 

The main file of the Control example is Control.le. We give its content: 



LE specification for a mecatronic system 
Main file: Control specification 



module Control: 

Input: forward, backward, upward, downward, StartCycle; 
Output: MoveFor, MoveBack, MoveDown, SuckUp, EndCycle; 

Run: "/home/ar/GnuStrl/work-ar/TEST/control/" : Temporisation; 
"/home/ar/GnuStrl/work-ar/TEST/control/" : NormalCycle; 

local start_tempo, end_tempo { 

{ wait upward >> emit MoveBack >> wait backward >> run NormalCycle} 

I I 

{ run Temporisation} 

} 

end 

The Control module calls two external modules Temporisation and NormalCycle. The paths to Tem- 
porisation.le and NormalCycle. le files where the respective LE codes of these called modules are, 
is given in Control module interface. During compilation, a file temporisation. lec (resp Normal- 
Cyle.lec) is searched in the compilation library. If Temporisation (resp NormalCycle) has not been 
already compiled then it is compiled. Thus, in both cases, the compiled code is included in Control 
module code. 

C.2 Temporisation module Specification 



LE specification for a mecatronic system 
Temporisation specification 
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module Temporisation : 

Input: start_tempo; 
Output: end_tempo; 

present start_tempo { 

pause >> pause >> pause >> pause >> emit end_tempo } 
else nothing 

end 

C.3 NormalCycle module Specification 



LE specification for a mecatronic system 
Normal cycle specification 



module Transport : 

Input: end_tempo, upward, forward, downward; 
Output: MoveDown, MoveFor, SuckUp; 

local exitTransport { 

{ emit MoveDown >> wait end_tempo >> wait upward >> emit MoveFor 

>> wait forward >> emit MoveDown >> wait downward >> emit exitTransport 

} 

I I 

abort 

{ loop { pause >> emit SuckUp } } 
when exitTransport 

} 

end 

module NormalCycle : 

Input: StartCycle, downward, upward, backward, end_tempo, forward; 
Output: start_tempo, MoveDown, MoveBack, EndCycle, MoveFor, SuckUp; 

{ present StartCycle { nothing} else wait StartCycle } 
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>> 



{ 

loop { emit MoveDown >> wait downward >> emit start_tempo >> run Transport 
>> wait upward >> emit MoveBack 
>> wait backward >> emit EndCycle } 

} 



end 



The NormalCycle module called itself a Transport module, but contrary to Control module, the 
specification of the called module is given in the same file. Thus, no path has to be supphed in 
NormalCycle interface. 
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D Condition Law Expansion 

In this appendix, we discuss how a term from ^ algebra resulting of the appUcation of the condition 
law is expanded in a pair of boolean values in B.. Let us consider a ^ term X. We recall that X is 
isomorphic to a pair of boolean {Xdef, X^a-) (see section ITTT l and we want to prove the following 
equahties: {X -4 c)def = Xdef-c and {X < c)yai = X^ai-c, where c e B. 
These equalities are very useful for implementing the condition law in the compilation phasis. 
First, relying on the definition of the isomorphism between ^ algebra and B x B, we can expand the 
encoding of the condition law as follow: 
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where c S B. 

Thus, we can deduce: 

{X -4 C)def =Xdef-Xyal-C + Xdef-X^al-C 
= Xdef-C.{Xyal + Xyal) 
= Xdef-C 

{X < c)yal =Xdef-Xyal-C + Xdef-X^al-C 
= Xyal-C-{Xdef + Xdef) 
= Xyal-C 
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E LE Statement Circuit Description 

In this appendix, we show the circuits corresponding to le statement. We rely on them to compute 
the equational semantic of each le operator. 




RTL 




(a) Circuit for nothing (b) Circuit for halt 

Figure 9: Basic le statements circuit semantic 



RTL 



E' 



Figure 10: Circuit for emitS' 
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(a) Circuit for pause (b) Circuit for wait 



Figure 11: Pause and Wait le statements circuit semantic 
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E' 



Figure 12: Circuit for Present S'{Pi}else{P2} 
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Reset 




RTL 



Figure 13: Circuit forPi||P2 




RTL 



Figure 14: Circuit for Pi > P2 
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E' 

Figure 15: Circuit for abort P when S 




RTL 



Figure 16: Circuit for loop {P} 
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